Bug 1739242

Summary: False positives for audit rules after remediation
Product: Red Hat Enterprise Linux 8 Reporter: Kwan Lowe <kwan>
Component: scap-security-guideAssignee: Matěj Týč <matyc>
Status: CLOSED ERRATA QA Contact: Matus Marhefka <mmarhefk>
Severity: medium Docs Contact:
Priority: medium    
Version: ---CC: ggasparb, mhaicman, wsato
Target Milestone: rc   
Target Release: 8.1   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.46-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-05 21:17:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kwan Lowe 2019-08-08 20:14:42 UTC 
Description of problem:
Similar to (https://bugzilla.redhat.com/show_bug.cgi?id=1723994) but regarding audit rules for DAC controls.

From SCAP-Workbench, I ran the "OSPP - Protection Profile for General Purpose Operating Systems (187)" against a default AWS RHEL8 image. It had many failures, including the audit rules in the original entry. From this, I generated an Ansible remediation script and applied.  I manually added the lines from Watson Sato from above Bugzilla to my /etc/audit/rules.d/mycompany.rules. I also manually restarted the audit service and verified that the new rulesets appeared in /etc/audit/audit.rules.

On rerunning the SCAP scan, none of the errors relating to audit show as remediated. However, the remediation script appears to have worked.

Version-Release number of selected component (if applicable):


How reproducible:
Always reproducible after running scan.

Steps to Reproduce:
1. Install SCAP-Workbench and SCAP Security Guide. 
2. From SCAP-Workbench, load the RHEL8 profile.
3. Choose the OSPP - Protection Profile for General Purpose Operating Systems
4. Add the remote system
5. Press Scan
6. Save the remediation file (remediation.yml)
7. Apply remediation (ansible-playbook remediation.yml)
8. Rerun the scan

Actual results:

Audit results still show that failures are unremediated. 

Expected results:
Results should show that the failures are remediated.  From a spot check of several rules for the auditd demon, the remediation script does appear to be working but the SCAP-Workbench is showing false positives.

Additional info:
Comment 1 Kwan Lowe 2019-08-08 20:15:43 UTC 
On manual check, I confirmed that the audit rule is working by tailing /var/log/audit.log then creating a file and chmod'ing (touch foo; chmod 650 foo).

type=SYSCALL msg=audit(1565293919.182:48514): arch=c000003e syscall=268 success=yes exit=0 a0=ffffff9c a1=55a39281f670 a2=1b5 a3=fff items=1 ppid=10210 pid=10254 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000
egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=60 comm="chmod" exe="/usr/bin/chmod" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="perm_mod"ARCH=x86_64 SYSCALL=fchmodat AUID="ec2-user" UID="ec2-user" GID="ec2-user" EUID="ec2-user" SUID="ec2-user" FSUID="ec2-user" EGID="ec2-user" SGID="ec2-user" FSGID="ec2-user"
type=CWD msg=audit(1565293919.182:48514): cwd="/home/ec2-user"
Comment 2 Kwan Lowe 2019-08-19 16:09:33 UTC 
Looks like same as this:

https://bugzilla.redhat.com/show_bug.cgi?id=1465675
Comment 3 Matěj Týč 2019-08-20 09:15:03 UTC 
I have changed the category - scap-workbench is just a GUI for OpenSCAP scanner, and the problem comes from wrong combination of check and remediation in the content, so it is a scap-security-guide issue.

The link from your previous comment is supposed to be fixed in RHEL8 as it is based on a later upstream issue, so this one is something else.

You have not explicitly mentioned whether the system in question is a freshly installed one, or whether it already has some configuration changes, could you pleas clarify that?
And finally, if you are a RHEL subscriber, could you please reach to the customer support and open a case that could be attached to this Bugzilla?
Comment 4 Kwan Lowe 2019-08-20 14:35:25 UTC 
Matěj:  Thank you for the response.

The remediation was run on a freshly installed RHEL8 from Amazon AWS Marketplace. I believe that this image is Red Hat maintained. No other configurations were added except to install the scanner.

I will open a case through the Portal.

Thank you!
Comment 5 Kwan Lowe 2019-08-20 14:47:08 UTC 
Support Case https://access.redhat.com/support/cases/#/case/02452733 added.
Comment 7 Matěj Týč 2019-09-11 14:48:08 UTC 
This has been addressed by https://bugzilla.redhat.com/show_bug.cgi?id=1723466 where the audit rules have been drastically simplified.
Comment 11 errata-xmlrpc 2019-11-05 21:17:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3453